undefined | Better HN

0 pointsdrdaeman8y ago0 comments

Unless you install some TPM module, RPi itself has no tamper-resistant storage and has DFU (so, basically plug it into a wrong device and it'll be able to run arbitrary code, pulling all secrets).

An FST-01 is a somewhat better choice, but Gnuk doesn't implement U2F. If someone has enough time and knowledge I don't see why it won't be possible to add it, though.

0 comments

Nexxxeh8y ago

Parent-poster said tamper-resistance wasn't an issue in their usage case.

But are you sure it'll DFU over USB?

If so, for avoiding DFU, could you use some simple hardware to disable the data lines on the OTG port until the Pi had finished booting?

Could one use an i2c or spi based crypto chip for key storage?

drdaemanOP8y ago

Actually, no. I think I have confused RPi with some other board.

Don't have Pi at hand to test for sure, but searching online can't find mentions of USB DFU. I think I may be mistaken.

j / k navigate · click thread line to collapse